1.0 Introduction

Recently, a threat actor group tagged as “UNC3944” by cybersecurity firm Mandiant, which also known as Roasted 0ktapus and Scattered Spider has been reported to hijack by installing third-party remote management software in Microsoft Azure Virtual Machines (VMs) Serial Console targeting customer environments. In addition to avoiding all of the standard detection techniques used by Azure, this attack method also gave the attacker full administrative access to the VM. Unfortunately, cloud resources are frequently misunderstood, resulting in configuration errors that might expose these assets to attack. 

UNC3944 which also known as Roasted 0ktapus and Scattered Spider is a financially motivated threat actor which has been active since at least May 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts. Using Microsoft’s cloud computing infrastructure, their campaign aims to steal data from victimized organizations. The STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit for terminating security applications were formerly credited to UNC3944. The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.


2.0 Impact

  • Attacker gain full access to the Azure VM.
  • Export information about the users in the tenant.
  • Gather information about the Azure environment configuration and the various VMs.
  • Creating or modifying accounts.


3.0 Affected System and Devices

  • Microsoft Azure Cloud VM environments


4.0 Technical Details

4.1 SIM Swapping Azure Admins

Initial access to the Azure administrator’s account is made possible by leveraging stolen credentials obtained through SMS phishing, a strategy used frequently by UNC3944. In order to induce help desk representatives to send a multi-factor reset code by SMS to the target’s phone number, the attackers next pretend to be the administrator when speaking with them.

However, the attacker had previously SIM-swapped the administrator’s number and ported it to their device, so they obtained the 2FA token without the victim being aware of the compromised. Mandiant has not yet discovered how the hackers carry out the SIM-swapping portion of their operation. However, prior instances have demonstrated that facilitating illegitimate number ports only requires knowing the target’s phone number and collaborating with dishonest telecom staff.

As soon as the attackers get access to the Azure environment of the targeted company, they use their administrator rights to gather data, make necessary changes to already-existing Azure accounts, or even create new ones.

Initial access diagram

Initial access diagram (Mandiant)

4.2 Living-off-the-Land (LotL) Tactic

In the subsequent phase of the attack, UNC3944 employs Azure Extensions to perform surveillance, collect data, disguise their malicious activities apparently innocent everyday task, and blend in with regular activity.

Azure Extensions are “add-on” features and services that may be included into an Azure Virtual Machine (VM) to enhance functionality, automate processes, etc. These extensions are stealthy and less suspicious because they are executed inside the VM and are frequently utilized for legal purpose.

The threat actor utilized “CollectGuestLogs”, one of the built-in Azure diagnostic extensions, to acquire log files from the compromised endpoint in this instance. Moreover, Mandiant has discovered evidence of the threat actor trying to misuse the following extra extensions:

Extensions the threat actor attempted to abuse (Mandiant)


4.3 Breaching VMs to Steal Data

After that, UNC3944 accesses the administrative console of VMs using Azure Serial Console and issues commands via a command prompt over the serial port. According to Mandiant’s assessment, the method of attack was unique in that it avoided many of the traditional detection methods employed with Azure and gave the attacker full administrative access to the VM.

Mandiant found that the first command the intruders run is “whoami” in order to identify the user who is presently signed in and obtain information necessary for more advanced exploitation. 

Using Azure Serial Console to gain access to a virtual machine (Mandiant)

The threat actors then install many commercially accessible remote administrator tools not mentioned in the study while enhancing their persistence on the VM via PowerShell.

Several commercially available remote administration tools are frequently deployed by the attacker using PowerShell in order to maintain presence on the VM, according to a Mandiant analysis.

UNC3944’s next move is to build a reverse SSH tunnel to their C2 server in order to maintain covert and ongoing access via a secure channel and get beyond network limitations and security measures.

To enable a direct access to an Azure VM using Remote Desktop, the attacker configures the reverse tunnel with port forwarding. For instance, any incoming connection to the distant machine’s port 12345 would be routed to the local host’s distant Desktop Protocol Service Port or port 3389.

After gaining access to the affected Azure VM via the reverse shell with the help of a compromised user account, the attackers only then move to take over more of the compromised environment while stealing data.


5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended by Microsoft for Azure Virtual Environments as follows:

  • Enable Microsoft Defender for Cloud.
  • Improve your Secure Score.
  • Require multi-factor authentication.
  • Enable Conditional Access.
  • Collect audit logs.
  • Use RemoteApps.
  • Monitor usage with Azure Monitor.
  • Encrypt your VM.

You may refer to the full guide here; https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my


6.0    References